Solana Account Revival Attacks: How Closed Accounts Come Back to Haunt You

You closed the account. You zeroed the lamports. You thought the data was gone forever. But on Solana, "closed" doesn't always mean "dead" — and attackers know it. Account revival attacks are one of Solana's most insidious vulnerability classes. They exploit a fundamental gap between what developers think happens when an account is closed and what the runtime actually guarantees. In this deep dive, we'll dissect the mechanics, walk through real exploitation scenarios, and build a detection pipeline using open-source audit tools. The Anatomy of a Closed Account When a Solana program "closes" an account, the standard pattern looks like this: // Typical account closure **dest_account.lamports.borrow_mut() += **target_account.lamports.borrow(); **target_account.lamports.borrow_mut() = 0; *target_account.try_borrow_mut_data()? = &mut []; The developer's mental model: "Account is gone. Lamports transferred. Data wiped." The runtime's reality: The account data remains accessible for the r